I'm currently a master degree student, and I'd like to benchmark packet filter over the number of tcp sessions per seconds it can handle.

So I've got a very basic setup working, consisting of one server running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's running Linux, acting respectively as client and webserver (running apache2 for the last).

Basically, the client spams standard HTTP requests to the server via the firewall using a basic HTTP injector tool and evaluates the number of sucessful processed requests per seconds.

As one can expect, there is an inverse relationship between the number of sessions/s a firewall can sustain and the size of the object of the request. To achieve maximum throughput, you've got to request big size objects (i.e 50KB or more), whereas to achieve maximum sessions rate per second, you've got to make requests with 0 size objects.

Prior to this, I've run some tests with a Linux firewall running iptables, and I've come up with an average rate of 11300 sessions/s for 0 size objects (straight up results, no tweaks or improvements made).

Moving on to the OpenBSD tests, I only achieved an average rate of 7000 sessions/s for 0 size object (starting up at 8000, slowly decreasing to 7000 - 6500 ...), which is way above the linux/iptables average rate . I then tried to make some tweaks in /etc/sysctl.conf, but no improvement so far. The ruleset I use is the following (copied from the OpenBSD pf tutorial) :

So I come here now to know whether you guys have any idea what sort of tweaks I could try to significantly enhance the number of tcp sessions per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless for the moment . Any hints, thoughts or ideas is appreciated !